The infection chain began when I browsed to luxurenailbar.com, which is a site that has been compromised for weeks now. That website is being injected with what is known as the EITest script. Even within the last week the script pattern has changed. Below is an image taken from the website’s source code on October 11, 2016:

Long story short, this ending up redirecting the host to a Rig EK server which then dropped Chthonic (a modification of ZeuS) banking malware. Here is a screenshot of the payload dropped on the host and some post-infection traffic to the C2 (107.181.187.178 resolving to hoverprestigojalles.com):

Today when I visited the compromised website the EITest script looked like this:

As you can see it isn’t using the same kind of obfuscation and decoding mechanism that is was employing 8 days ago. Instead, the URL is easy to spot in the script. Once the page loads the host was redirected to the Rig EK URL located in the script. Here is the GET requests for the Rig EK landing page and Flash exploit:

Following the Flash exploit we see the GET request for the payload:

The result of the return HTTP traffic was B55F.tmp being dropped in %TEMP%. We can also see that nuocebipcotn.exe was dropped in C:\Users\ {user} \nuocebipcotn.exe. This malware created the following registry keys meant to enable its automatic execution at system startup:

Restarting the computer generated the same POST requests, etc.

nuocebipcotn.exe:

The post-infection traffic (found at the beginning of this brief writeup) is consistent with the PushDo/Cutwail Botnet.